Vulnerability Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Olivetin | Olivetin | <= 3000.10.2 |
Related Weaknesses (CWE)
References
- https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c2Patch
- https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9ExploitVendor Advisory
- https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9ExploitVendor Advisory
FAQ
What is CVE-2026-28789?
CVE-2026-28789 is a vulnerability with a CVSS score of 7.5 (HIGH). OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurre...
How severe is CVE-2026-28789?
CVE-2026-28789 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28789?
Check the references section above for vendor advisories and patch information. Affected products include: Olivetin Olivetin.